INFORMATION SHARING PROTOCOL

Between

The Probation Board for Northern Ireland

(PBNI)

&

The Probation Service (Ireland)

In respect of

The Management of Sex Offenders and

Offenders assessed as a Risk of Serious Harm

to Others

June 2014

VERSION CONTROL SHEET

TITLE

The Management of Sex Offenders and

Offenders assessed as a Risk of Serious

Harm to Others

Information Asset

Owner (s)

PBNI and PS

Version 1 Implemented June 2006

Version 1.1 Reviewed June 2007

Version 1.2 Reviewed May 2010

Version 1.3 Reviewed January 2014

Version 2 FINAL June 2014

Next review May 2016

TABLE OF CONTENTS

1. INTRODUCTION 1

2. DRIVERS 2

3. APPLICATION 2

4. PURPOSE 3

5. PARTIES TO THE PROTOCOL 4

6. DEFINITIONS IN RESPECT OF THE DATA PROTECTION ACT 1998 & DATA

PROTECTION 1988 & 2003 4

7. OPERATIONAL PROCEDURES FOR THE SHARING OF INFORMATION 4

8. DESCRIPTION OF DATA TO BE SHARED 7

9. SHARING OF INFORMATION – CONSENT 7

10. UNDERLYING PRINCIPLES FOR INFORMATION SHARING 8

11. ACCESS AND INDIVIDUAL’S RIGHTS (REQUESTS FOR INFORMATION) 9

12. INFORMATION GOVERNANCE 10

13. TRAINING 10

14. COMPLAINTS 10

15. SENIOR MANAGEMENT COMMUNICATIONS 10

16. MONITORING AND REVIEW 11

17. SIGNATORIES 11

APPENDICES

1. DEFINITIONS 12

2. LEGISLATIVE REQUIREMENTS 15

3. CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE:

PROCESSING OF ANY PERSONAL DATA 18

4. INFORMATION GOVERNANCE 19

1

1. INTRODUCTION

1.1 The aim of this protocol is to protect the public in Northern Ireland and Republic of Ireland

from Sex Offenders and Offenders assessed as Risk of Serious Harm (RoSH) who move

between jurisdictions by:

Providing a framework for the secure and confidential sharing of information (personal

and non personal) between the Probation Board for Northern Ireland, hereafter, in this

protocol referred to as PBNI, and the Probation Service, (Ireland), hereafter in this

protocol referred to as PS.

Co-ordinating and strengthening the supervision and management of sex offenders

and offenders assessed as Risk of Serious Harm, in the community in both

jurisdictions.

1.2 For the purpose of this protocol:

a) a sex offender is an individual who has been convicted of a sex offence as defined

by the Sexual Offences Act 2003 as applied to Northern Ireland and the Sex

Offenders Act 2001 (Ireland).

b) an offender assessed as Risk of Serious Harm is defined as follows:

PBNI:

Where there is high likelihood that an offender will commit a further offence, causing

serious harm. (PBNI RoSH Policy 2013)

Serious harm is defined in the Criminal Justice (Northern Ireland) Order 2008 as

death or serious personal injury whether physical or psychological

PS:

Serious harm is defined as “personal, physical or psychological harm which is life

threatening and/or traumatic and from which recovery is usually difficult or

incomplete”. (PSROSH Guidance Document January 2012)

1.3 This protocol is effective from 1 June 2014. It replaces the protocol issued in May 2010.

1.4 This protocol does not impose a duty to disclose information in any particular case

nor does it provide the power to demand disclosure.

1.5 This protocol may be cancelled by either party at any time, in writing, to be sent to

the relevant signatory. (para 17)

2

2. DRIVERS

2.1 This protocol has been developed in part due to the fact that it is not legally possible to

transfer court orders from one jurisdiction to another. It is to facilitate and/or implement the

arrangements and/or legislative requirements as per:

a) The Memorandum of Understanding between the Government of the UK and the

Government of Ireland on information sharing arrangements relating to Sex

Offenders.

b) The Criminal Justice Inspection report on the Management of Sex Offenders in

Northern Ireland, (2005) i.e.

Recommendations No 4 (page 10) and at Para 2.15 (page 23) “Inspectors would

encourage progress in respect of Recommendation 291 of the Criminal Justice

Review which suggests a coordinated cross-border approach to dangerous

offenders”

Recommendation 291 of the Review of the Criminal Justice System in Northern

Ireland refers to dangerous offender registers and consideration to sharing

information between the authorities in the two jurisdictions so that there can be a co-

ordinated approach to dangerous offender registers (Criminal Justice Review

Implementation Plan November 2001)

c) The Probation Service (Ireland) Protocol for Service Operation of Part 5 of Sex

Offender Act 2001

d) The SOMEC European Union (Serious Offending by Mobile European Criminals)

initiative project which aims to improve cross-border information sharing on serious

violent or sexual offenders travelling across the European Union

and

e) Co-operation on Criminal Justice Matters through the work of the Public Protection

Advisory Group, under the Inter-Governmental Protocol

3. APPLICATION

3.1 This protocol applies to persons who:

a) Are subject to the notification requirements of part 2 of the Sexual Offences Act

2003 (Northern Ireland) or Part 2 of the Sex Offenders Act 2001 (Ireland) and are

subject to supervision by the probation service in either jurisdiction, or

3

b) Have been convicted of a sexual offence (but are not subject to supervision orders)

and are leaving prison, or

c) Whose current offence is not a sexual one, but who have a previous conviction for a

sexual offence and who are currently subject to supervision.

d) Offenders in Northern Ireland who have been assessed as a Risk of Serious Harm

to others in accordance with PBNI Policy (2013) are currently subject to a Licence

or Order in Northern Ireland and

e) Offenders in the Republic of Ireland who are assessed as being a Risk of Serious

Harm to others and who are subject to Probation Supervision.

3.2 For the purposes of this protocol ‘move’ is defined as:

A planned change of residence to the adjacent jurisdiction

An unplanned or unauthorised move to the adjacent jurisdiction

Offenders who are working or regularly visiting within the adjacent jurisdiction

Offenders who cannot be traced and there is a reasonable concern they may

currently be/or likely to cross into the adjacent jurisdiction.

3.3 From this point, persons subject to this protocol will be referred to as:

a) Sex Offenders

b) Offenders assessed as Risk of Serious Harm to others (RoSH)

4. PURPOSE

4.1 The purpose of this protocol is to facilitate the exchange of personal data and other

information to enable the Probation Board for Northern Ireland (PBNI) and the Probation

Service (Ireland) (PS) to:

Agree voluntary arrangements for community sentences

Agree voluntary arrangements for post custodial supervision

Share information for the preparation of pre-sentence reports on sex offenders and

Offenders assessed as Risk of Serious Harm to others who move between

respective jurisdictions in Ireland

Enhance public protection in both jurisdictions.

4.2 The parties agree that the personal data and sensitive personal data obtained through the

protocol shall not be used for any purpose other than that specified at 4.1, and shall not be

4

shared with any other individual or group, other than in circumstances where disclosure is

required by law or in the interests of public protection.

4.3 Where there is a clearly identified risk to the public in Northern Ireland, PBNI will share

information on an individual Sex/RoSH Offender with Police Service for Northern Ireland

(PSNI) and/or Health & Social Care Trusts in accordance with current Public Protection

Arrangements for Northern Ireland (PPANI) and PBNI Child Protection procedures.

4.4 Where there is a clearly identified risk to the public in Republic of Ireland, the Probation

Service will share information on the relevant Sex/RoSH Offender with the Garda Síochána

and / or Child and Family Agency in accordance with the Sex Offender Risk Assessment

and Management (SORAM) Procedures / Probation Service Child Protection Policy 2009 /

Data Protection Act 1998 / 2003.

5. PARTIES TO THE PROTOCOL

The Probation Board for Northern Ireland (PBNI)

The Probation Service (Ireland)

6. DEFINITIONS IN RESPECT OF THE DATA PROTECTION ACT 1998 AND DATA

PROTECTION ACT 1988 AND 2003

See Appendix 1

7. OPERATIONAL PROCEDURES FOR THE SHARING OF INFORMATION

7.1 Sender’s Role: This is the Area Manager (AM), PBNI /Senior Probation Officer (SPO),

Probation Service, in the jurisdiction where the offender is currently being supervised or

residing.

It is the Sender’s responsibility, on becoming aware of an offender who has or is preparing

to move as defined in paragraph 3.2.

Advise the Area Manager (AM) or Senior Probation Officer (SPO) in the adjacent

jurisdiction – this should initially be done by phone1

1. Advise your Assistant Director (PBNI) or Regional Manager (Probation Service)

2. Send collated information, by encrypted email as referred to in para 7.3, to your

single point of contact for your organisation within 3 working days

1For out of office hours contacts, Probation Service staff will phone PBNI’s out of hours number 048 9056

5795 - PBNI staff will telephone the Probation Service on 00353(0)862416429 / (0)868179609

5

3. If appropriate, advise Garda/PSNI and/or Social Services / Child and Family Agency

as per current public protection and/or child protection arrangements.

7.2 Receiver’s Role: This is the AM/SPO in the jurisdiction to which the offender has moved.

On receiving information under the protocol it is the responsibility of the AM/SPO to:

1. Advise your Assistant Director or Regional Manager.

2. On approval from Assistant Director/Regional Manager allocate a Probation

Officer (in case where offender has moved to jurisdiction).

3. If appropriate advise local police and/or social services as per current public

protection and/or child protection arrangements.

4. Ensure offender’s details are recorded appropriately, including on electronic

information systems where appropriate.

7.3 Single Point of Contact Role; (SPOC)

The role of the SPOC is to act as a central point of contact within each jurisdiction for the

collation and communication of all transfer requests and information exchanges.

Northern Ireland

Email intdesk.pbni@pbni.gsi.gov.uk

Phone 04890 262469

Mobile 0044 7789412608

Republic of Ireland

Email internationaldesk@probation.ie

Phone 0035318173600

Mobile 00353862546987

The SPOC, on being advised by their AM/SPO of a change in an individual's circumstances,

is to:

Collate the detailed information and forward electronically to the single point of

contact in the receiving jurisdiction within one working day

6

The receiving SPOC is to forward the information electronically on to the relevant

AM/SPO in the receiving jurisdiction within one working day.

7.4 Operational Procedures for Voluntary Supervision

7.4.1 Where an offender on supervision indicates his intention to move to the other jurisdiction,

he should be advised of the arrangements for supervision.2

7.4.2 Process to be followed:

1. The AM/SPO (sending) should contact their SPOC

2. The SPOC will liaise with their counterpart in the adjacent jurisdiction who will then

inform the relevant AM/SPO of the request for voluntary supervision

3. Once this has been approved by the Assistant Director/Regional Manager the

AM/SPOs are to make the arrangements for the case transfer.

7.4.3 The proposed address should be supplied as well as any details and information relevant to

the assessment of risk in the new circumstances.

7.4.4 The SPO/AM receiving will arrange for a home visit or office interview with relevant people

(e.g. proposed employer or head of household of proposed residence).

7.4.5 Offenders will be supervised in accordance with practice standards extant in the receiving

jurisdiction.

7.4.6 Where child protection concerns arise, the SPO/AM will inform the relevant Social Services/

Child and Family Agency.

7.4.7 The PPANI Administration Unit (Northern Ireland) or Regional Manager, (Republic of

Ireland) will be informed by the receiving AM/SPO as deemed appropriate according to

assessed level of risk. (see 4.3)

7.4.8 In the event of failure to co-operate with voluntary supervision, the receiving SPO/AM will

provide all information to the sending SPO/AM to facilitate enforcement in the sending

jurisdiction3.

7.4.9 In cases where an offender has moved without authorisation, the receiving probation

service shall consider offering the offender voluntary supervision. This offer of voluntary

supervision will not obviate the enforcement responsibilities of the Agency which holds

statutory responsibility for supervision of the offender.

2 These arrangements for voluntary supervision exclude offenders subject to Determinate Custodial Sentences (DCS) or

Public Protection Sentence as per Criminal Justice (NI) Order 2008 where offenders are required to reside in the jurisdiction of the United Kingdom. 3 This information will be communicated through the SPOC in both jurisdictions, as occurs with the original referral

7

8. DESCRIPTION OF DATA TO BE SHARED

8.1 In the case of an offender proposing to move, or have reported to have moved residence

(to the other jurisdiction), a report should be prepared for the purpose of sharing relevant

information.

8.2 For the purpose of this protocol the following information will be shared at the outset:

Name/Alias/Date of Birth/Current address

Current/previous offence

Type of order/licence including details of restrictions and/or requirements

Existence of any other court orders

Summary of Criminal Record (The Criminal Record must not be attached).

Most recent work plan and summary of Risk Management Meeting where applicable

and where available the RM2000 and SA07 and PSROSH/PSROSH (SO)

assessment outcomes, or equivalent.

Response to supervision

Current social circumstances for example, employment/accommodation/

lifestyle/associates. Any known supports

Any information about proposed address

Length of proposed stay, if known

Particular areas of concern.

9. SHARING OF INFORMATION – CONSENT

9.1 Obtaining consent remains a matter of good practice and, in circumstances where it is

appropriate and possible, explicit consent should be sought from and freely given by the

data subject. The individual should always be informed about how their information will be

used and with whom it may be shared even if consent not required.

However, in many cases seeking consent might not always be possible or appropriate. In

such cases the disclosing body must consider the possible grounds which may give cause

to override consent. See Appendix 2 (Legislative requirements - Public Interest)

8

10. UNDERLYING PRINCIPLES FOR INFORMATION SHARING

10.1 Each of the parties is responsible for their own information and therefore must be sure that

they have the power to disclose the relevant information in each particular case.

Personal information should only be shared when the disclosing party is satisfied that

(i) They are legally empowered to do so

(ii) The proposed disclosure of personal information can be done in accordance with

the Principles of the Data Protection Act (1998 for NI) and 1988 & 2003 (Ireland).

(iii) They can disclose personal information reflecting the common law duty of

confidentiality and

(iv) The Principles of the Human Rights Act 1998 (NI) and the European Convention of

Human Rights Act 2003 (Ireland).

10.2 The information that is shared in accordance with this protocol will be:

a. Treated in the strictest confidence

b. Where applicable, appropriate protectively marked in accordance with respective

protective marking policies.

c. Used only for the purposes set out in this protocol

d. Used only by those authorities with a statutory duty to pursue those purposes.

10.3 The protocol will be operated within the context of the individual’s rights and protection

enshrined in legislation.

10.4 PBNI Legal Authority

The Probation Board (Northern Ireland) Order 1982

The Criminal Justice (Northern Ireland) Order 2008

The Sexual Offences (Northern Ireland) Order 2008

10.5 Probation Service Ireland Legal Authority

The Probation of Offenders Act 1907

The Criminal Justice Act, 2006

The Sex Offender Act 2001

Criminal Justice (Temporary Release of Prisoners) Act 2003

9

10.6 Other relevant key legislation and guidance

The Data Protection Act 1998

The Data Protection Acts 1988 and 2003

The Human Rights Act 1998

European Convention of Human Rights Act 2003

The Freedom of Information Act 2000

The Freedom of Information (Amendment) Act 2003

The Common Law Duty of Confidentiality

Memorandum of Understanding between the Government of the UK and the Government of

Ireland on information sharing arrangements relating to Sex Offenders

Information Commissioner’s Office (ICO) Data Sharing Code of Practice.

Data Protection Commissioner – relevant guidance.

10.7 The sharing of information under this protocol is compliant with both parties ‘registration

arrangements with the Information Commissioner (UK) or the Data Protection

Commissioner (Ireland) under the respective Data Protection Acts.

11. ACCESS AND INDIVIDUALS’ RIGHTS (REQUESTS FOR INFORMATION)

11.1 The parties to the protocol recognise that when responding to requests for information

under the Freedom of Information Act 2000 (UK) or Freedom of Information Act 1997 and

the Freedom of Information (Amendment) Act 2003 (Ireland) or in fulfilling their statutory

obligations under section 7 of the Data Protection Act 1998 (UK), or Section 4 Data

Protection Act 1988 (Ireland) that it would be good practice to consult the party from whom

information has been received before disclosing it.

Consultation will allow a party to ascertain whether any of the exemptions set out in the

relevant and respective legislation apply to that information.

The party to whom the request was made will respond to it. The request will only apply to

information shared for purposes of this protocol.

11.2 The parties agree to provide reasonable assistance to one another to enable them to

respond to such a request within the timescales set out in the relevant legislation i.e. 40

days in respect of Data Protection and 20 working days in respect to Freedom of

Information.

11.3 Information will be released in accordance with the relevant legislation unless an exemption

applies.

10

11.4 The Probation Board and Probation Service Ireland will adhere to their obligations to

maintain a publication scheme in accordance with the Freedom of Information Acts.

Consideration will be given to this agreement, when completed, being made available for

publication on respective websites (subject to any exemptions).

12. INFORMATION GOVERNANCE4 (See Appendix 4)

This sets out the key responsibilities of each party in respect of the Data Protection

Principles.

13. TRAINING

13.1. Each party must ensure that adequate training is provided to staff involved in the sharing of

information under this protocol so that they are aware of their legal responsibilities in this

regard. Both parties will ensure that staff are aware that they may be subject to disciplinary

and/or legal proceedings should there be any breaches of the Data Protection Act arising

out of the operation of this protocol.(see also section 12, Appendix 4)

14. COMPLAINTS

Complaints to either of the parties should be dealt with through the respective

organisation’s complaints procedure.

15. SENIOR MANAGEMENT COMMUNICATIONS

15.1 In the event of media interest in relation to an offender subject to this protocol the relevant

senior manager5 shall contact his/her counterpart in the relevant jurisdiction. The respective

PR/Communications departments should also be consulted.

15.2 In respect of NI, in the event of a decision to make public disclosure with regard to an

offender subject to this protocol, the relevant senior manager from PBNI will contact their

counterpart in the Probation Service.

15.3 In the event of a serious incident/situation involving an offender subject to this protocol the

relevant senior manager will contact their counterpoint to share immediate information and

to agree steps to be taken to manage the situation.

4 Ref First Schedule, Chapter 11 of the Data Protection Act 1988 the Data Protection (Amendment) Act 2003, and Part 1 Section 4 of the Data Protection Act 1998 5 The relevant senior manager for PBNI is the Assistant Director for Risk. PS is Assistant Director for Risk and

Resettlement

11

16. MONITORING AND REVIEW

This protocol will be monitored on a regular basis to allow either party to advise of changes

or raise concerns as required. The relevant senior managers will liaise directly at least on a

bi annual basis to monitor the application and operation of the protocol.

The protocol will be formally reviewed every two years from date of commencement (para

1.3) or earlier at the request of either party or to take account of any legislative changes

which impact on the protocol. All changes to the protocol are to be agreed and approved

by both signatories prior to the changes taking place.

17. SIGNATORIES

We, the undersigned have read and agree to this protocol between The Probation Board for

Northern Ireland and The Probation Service (Ireland), to carry out our roles and

responsibilities and to share and provide the information as outlined in this protocol.

17.1 Signed for: Probation Board for Northern Ireland

Name: ________________________________

(Print)

Position: ________________________________

Signature: ________________________________

Date: ________________________________

Signed for: The Probation Service (Ireland)

Name: ________________________________

(Print)

Position: ________________________________

Signature: ________________________________

Date: ________________________________

12

Appendix 1

Definitions

Data Protection Act 1998 (UK) Chapter 29, Part 1 Preliminary

1. Data

Information which:

a) is being processed by means of equipment operating automatically in response to instruction

given for this purpose;

b) is recorded with the intention that it should be processed by such equipment;

c) is recorded as part of a relevant filing system; or

d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined

by section 68 of the Data Protection Act 1998

e) is recorded information held by a public authority and does not fall within any of paragraphs (a)

to (d)

Note: Under the Freedom of Information Act 2000 S.69 (2) the meaning of personal data has been

extended (for public authorities) to include “unstructured personal data”. (UK)

2. Data Controller

A person who (either alone or jointly in common with other persons) determines the purposes for

which and the manner in which any personal data are, or are to be processed.

3. Data Processor

Any person who, in relation to personal data (other than an employee of the Data Controller) who

processes the data on behalf of the Data Controller.

4. Data Subject

An individual who is the subject of the data

5. Personal Data

Data which relate to a living individual who can be identified-

a) from those data; or

b)from those data and other information which is in the possession of, or is likely to come into the

possession of, the Data Controller, and includes any expression of opinion about the individual and

any indication of the intentions of the Data Controller or any other person in respect of the

individual

13

6. Processing

Means obtaining, recording or holding information or data or carrying out any operation or sets of

operations on the information or data, including:

a) organisation, adaptation or alteration of the information or data;

b) retrieval, consultation or use of the information or data;

c) disclosure of the information or data by transmission, dissemination or otherwise making

available; or alignment, combination, blocking, erasure or destruction of the information or

data

7. Sensitive personal data

Personal data consisting of information as to:-

a) the racial or ethnic origin of the data subject;

b) his political opinions;

c) his religious beliefs or other beliefs of a similar nature;

d) whether he is a member of a trade union

e) his physical or mental health or condition;

f) his sexual life;

g) the commission or alleged commission by him of any offence; or

h) any proceedings for any offence committed or alleged to have been committed by him, the

disposal of such proceedings or the sentence of any court in such proceedings.

Data Protection Act 1988 (Republic of Ireland) Number 25, Preliminary & First Schedule,

Chapter 1, Article 2 and Data Protection Act (Amendment) 2003 Section 2

1. Data means information in a form in which it can be processed:

2. Data controller means a person who, either alone or with others, controls the contents and

use of personal data

3. Data equipment means equipment for processing data

4. Data material means any document or other material used in connection with, or produced

by, data equipment

5. Data processor means a person who processes personal data on behalf of a data

controller but does not include an employee of a data controller who processes such data in

the course of his employment

14

6. Data subject means an individual who is the subject of personal data

7. Personal Data means any information relating to an identified or identifiable individual

(“Data Subject”)

8. Automated Data File means any set of data undergoing automatic processing

9. Automatic processing includes the following operations if carried out in whole or in part by

automated means: storage of data, carrying out of logical and/or arithmetical operations on

those data, their alteration, erasure, retrieval or dissemination.

10. Sensitive personal data means personal data as to—

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of

the data subject,

(b) whether the data subject is a member of a trade union,

(c) the physical or mental health or condition or sexual life of the data subject,

(d) the commission or alleged commission of any offence by the data subject, or

(e) any proceedings for an offence committed or alleged to have been committed by the

data subject, the disposal of such proceedings or the sentence of any court in such

proceedings;

15

Appendix 2

LEGISLATIVE REQUIREMENTS (NI) CONSENT (Para 9.1)

1. Northern Ireland - Public Interest

If consent has been sought and refused, or if it would prejudice the work of the Probation

Board for Northern Ireland, in this instance, to seek consent, an overriding public interest

may justify disclosure of information.

The criteria for public interest includes:

- The administration of justice

- Maintaining public safety

- The apprehension of offenders

- The prevention of crime and disorder

- The detection of crime

- The protection of vulnerable members of the community

When judging the public interest it is necessary to consider the following:

- Is the intended disclosure proportionate to the intended aim?

- What is the vulnerability of those who are at risk?

- What is the likely impact of the disclosure on the offender

- Is there another equally effective means of achieving the same aim?

- Is the disclosure necessary to uphold the rights and freedoms of the public?

- Is it necessary to disclose the information/data to protect other vulnerable people?

The rule of proportionality should be applied to ensure that a fair balance is achieved

between the public interest and the rights of the data subject.

16

2. LEGISLATIVE REQUIREMENTS: IRELAND Public Interest: Section 8 of the Data

Protection Acts 1988 & 2003

This section of the Act lifts the restriction on disclosure in certain circumstances, so that

disclosures may be made in cases where the individual's right to privacy must be balanced

against other needs of civil society including:

- Section 8(b) "required for the purpose of preventing, detecting or investigating

offences, apprehending or prosecuting offenders…”

- Section 8(d) "The disclosure is required urgently to prevent injury or other damage

to the health of a person or serious loss of or damage to property".

Disclosures Permitted under section 8 of the Data Protection Acts 1988 & 2003

Section 2(1) (c) of the Data Protection Acts, provides that a data controller shall not further

process personal data (which includes disclosure to a third party), except in ways that are

compatible with the purpose for which the data were obtained.

However, this non-disclosure rule is not unqualified. Section 8 of the Act lifts the restriction

on disclosure in certain circumstances, so that disclosures may be made in cases where

the individual's right to privacy must be balanced against other needs of civil society, or

where the disclosure is in the interests of the individual. The circumstances specified in

section 8 are listed below, along with some explanatory comments.

Section 8(b) "required for the purpose of preventing, detecting or investigating offences,

apprehending or prosecuting offenders or assessing or collecting any tax, duty or other

moneys owed or payable to the State, a local authority or a health board, in any case in

which the application of those restrictions would be likely to prejudice any of the matters

aforesaid"

Comment: The individual’s right to privacy must be balanced against the need to

investigate offences and collect taxes effectively. If a data controller is approached by a law

enforcement authority or by a tax collecting authority, which seeks to have personal data

disclosed to it under this section of the Data Protection Act, it is a matter for the data

controller: (i) to satisfy itself that the provisions of this section are met, for example by

establishing the bona fides of the authority and by obtaining assurances that the disclosure

is actually necessary, and not merely of side interest, for the investigation of an offence;

and (ii) to decide whether or not to comply with the request for disclosure. While this section

of the Data Protection Act lifts the restrictions on disclosure by a data controller to a law

enforcement authority or to a tax collecting authority, this section does not impose any

obligation on a data controller to comply with the request for disclosure.

17

Section 8(d) "The disclosure is required urgently to prevent injury or other damage to the

health of a person or serious loss of or damage to property"

Comment: The individual’s right to privacy can be set aside where personal data must be

disclosed in order to save someone’s life or protect someone’s health, or to prevent

property from being destroyed. This provision does not authorise disclosures of personal

information for general health research purposes, or for other medical purposes where

there is no immediate or urgent risk to someone’s life or health. In such cases, the normal

data protection rules apply, including the obtaining of consent where necessary.

Section 8(e) "required by or under any enactment or by a rule of law or order of a court"

Comment: If you are under a legal obligation to disclose personal data, then this obligation

takes precedence over the Data Protection Act’s prohibition on disclosure. However, if you

have a statutory discretion to make information available, matters are not so clear-cut. The

Data Protection Commissioner has found, in the past, that a statutory discretion to make

information available did not come within the scope of section 8(e) of the Data Protection

Act, and that accordingly the restriction on disclosure of personal data remained in force.

Section 8(h) "made at the request or with the consent of the data subject or to a person

acting on his behalf"

Comment: If a third party, such as a prospective employer, requests personal information

from you about an individual, and if the third party has the clear consent of that individual,

then you may disclose the personal data, if you wish. This section of the Data Protection

Act places you under no obligation to respond positively to the request for information, if

you do not want to6.

Rights and restrictions regarding the disclosure of information are also governed by the

Freedom of Information Acts 1997 and 2003. The main purpose of this legislation is:

“To enable members of the public to obtain access to the greatest extent possible

consistent with the public interest and the right to privacy, to information in the possession

of public bodies”.

6 Data Protection Commissioner’s Office.

18

APPENDIX 3

CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE:

PROCESSING OF ANY PERSONAL DATA

The Data Protection Act 1998 requires that at least one condition from those listed in Schedules 2 and 3 to the Act apply in relation to the processing of personal data and sensitive personal data. The relevant conditions are listed below in an abridged form (please refer to the Data Protection Act for detail).

Conditions in Schedule 2: Conditions in Schedule 3:

Paragraph 1: The data subject has given consent to the processing.

Paragraph 1: The data subject has given explicit consent to the processing.

Paragraph 2: The processing is necessary for (a) the performance of any contract to which the data subject is a party; or (b) for the taking of steps at the request of the data subject with a view to entering into a contract.

Paragraph 2: (1)The processing is necessary for the purposes of exercising or performing a legal right or obligation in the context of employment.

Paragraph 3: The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

Paragraph 3: The processing is necessary (a) to protect the vital interests of the data subject or another person in a case where – (i) consent cannot be given by or on behalf of the data subject, or (ii) the data controller cannot reasonably be expected to obtain the consent of the data subject or, (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

Paragraph 4: The processing is necessary in order to protect the vital interests of the data subject.

Paragraph 4: The processing is of political, philosophical, religious or trade union data in connection with its legitimate interests by any non-profit bodies.

Paragraph 5: The processing is necessary: (a) for the administration of justice; (b) for the exercise of any functions conferred on any person by or under any enactment; (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department; or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

Paragraph 5: The processing is of information made public as a result of steps deliberately taken by the data subject. Paragraph 6: The processing is necessary in connection with legal proceedings or the seeking of legal advice. Paragraph 7: (1)The processing is necessary (a) for the administration of justice; (b) for the exercise of any function conferred on any person by or under any enactment; (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

Paragraph 6(1): The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Paragraph 8: The processing is necessary for medical purposes and is carried out by medical professionals or others owing an obligation of confidence to the data subject. Paragraph 9: The processing is necessary for ethnic monitoring purposes.

Paragraph 6(2): The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

Paragraph 10: The personal data are processed in circumstances specified in an order made by the Secretary of State for certain purposes. The Data Protection (Processing of Personal Data) Order 2000 (SI 2000 No 417) specifies a number of circumstances in which sensitive personal data may be processed such as crime prevention, policing and regulatory functions (subject to a substantial public interest test);

19

Appendix 4

Information Governance

1. Fair and Lawful

Both parties agree that personal data shall be processed fairly and lawfully and in particular

shall not be processed unless certain conditions are met as required by Principle 1 of the

Data Protection Act 1998 and First Schedule, Chapter 11 Article 4 of the Data Protection

Act 1988.

Where information is shared under the terms of this Protocol for the purposes set out para

4 the following conditions are relevant.

- (Ireland) Section 8 (b), See Appendix 2

- (NI) Schedule 2 paragraphs 1, 2(a), 6.1 & Schedule 3 paragraphs 1, 3, 7(a), See

Appendix 3

2. Common Law duty of Confidentiality

Where an organisation owes a common law duty of confidentiality, that duty of

confidentiality continues to apply. Where consent cannot be obtained from the data subject

to share/disclose his or her personal data with the other agency, that agency must consider

whether they have sufficient public interest grounds to override this duty. If the organisation

does not consider that there is sufficient overriding public interest to make the disclosure it

must not do so.

3. Human Rights Act 1998

Article 8 of the Human Rights Act 1998 states that everyone has the right to respect for his

private and family life, home and his correspondence and that there shall be no interference

by a public authority with this right except as in accordance with the law and is necessary in

a democratic society in the interests of:

a) National Security

b) Public Safety

c) Economic well-being of the country

d) The prevention of crime and disorder

e) The protection of health or morals

f) The protection of the rights or freedoms of others

20

If the disclosure of data will in some way infringe the rights of the data subject we will

consider the rule of proportionality. This is to ensure that fair balance must be achieved

between the protection of the individual’s rights, with the general interests of society.

4. European Convention on Human Rights Act 2003 (Ireland)

Article 8 of the European Convention on Human Rights Act 2003 states that 1) everyone

has the right to respect for his private and family life, home and his correspondence and

There shall be no interference by a public authority with the exercise of this right except

such as is in accordance with the law and is necessary in a democratic society in the

interests of national security, public safety or the economic well-being of the country,

for the prevention of disorder or crime, for the protection of health or morals, or for the

protection of the rights and freedoms of others.

5. Limited Purposes

Both parties agree that information will not be used for any other purpose than for which it

was given (para 4) and will not be disclosed to another agency or body without the

permission of the party which provided the information.

6. Adequate, Relevant and Not Excessive

Both parties agree that only the minimum data necessary will be exchanged to satisfy the

purpose of the disclosure.

7. Data Quality

Both parties agree to ensure that the data shared is as far as reasonable accurate and up

to date. Both parties agree that data discovered to be inaccurate or inadequate for the

specified purpose will be brought to the notice of the originator of the data. The originator

will be responsible for correcting the data and notifying all other recipients of the

corrections.

8. Retention and Destruction of the Data

Both parties agree that the relevant data will be retained by the party to whom it is

disclosed until such times as it is no longer required for the purposes of any legal action or

appeal process.

21

At the expiry of this period the party to whom it had been disclosed will destroy the relevant

information securely in keeping with that organisations retention and disposal policy and in

accordance with the Government Protective Marking scheme, if relevant..7

9. Security

Both parties to this protocol are responsible for ensuring that they have appropriate security

arrangements in place. They will consider how the relevant data will be stored, accessed

and transmitted. The single point of contact for each party will ensure that adequate steps

are taken to prevent:

a) accidental or deliberate destruction of the data;

b) accidental or deliberate modification of the data;

c) deliberate and unauthorised unavailability of the data;

d) unauthorised access to information to any computer system containing the data;

e) misuse of the data

10. The information to be shared by PBNI, for purposes of this protocol, will be protectively

marked as OFFICIAL-SENSITIVE under the current Government Protective Marking

Scheme (includes hard copy and if sent via secure email). This will depend on the

sensitivity of the information disclosed. Information for example which includes references

to offences, court disposal or risk, should be marked OFFICIAL-SENSITIVE.

11. Personal and sensitive personal information, if sent electronically, will only be sent to a

PBNI and Probation Ireland approved secure email address. (see 7.3)

12. Secure briefcases, where available, should be used when transporting manual personal or

sensitive personal information. Personal or sensitive information shall not be left

unattended by any of the parties.

13. Each party will adhere to their respective organisation’s data handling policies and

procedures – e.g. Records Management, Management of Information, and Security.

14. Protectively marked information, when posting, should be only be sent by special delivery,

double enveloped, with inner envelope marked as restricted or protect (depending on the

sensitivity of the information contained).

7 Changes to the current protective marking scheme (UK) are due to be implemented in April 2014

22

15. Breaches

Both parties will ensure that staff are aware that they may be subject to disciplinary and/or

legal proceedings should there be any breaches of the Data Protection Act arising out of

the operation of this protocol. This may be as a result of not adhering to the correct data

handling procedures for the exchange of information or through the wrongful disclosure of

information or the withholding of relevant personal information in respect of this protocol.

This may also result in enforcement action by the Information Commissioner’s Office and/or

the Data Protection Commissioner (Republic of Ireland).

16. All suspected or confirmed breaches of protectively marked/sensitive information including

information which has been lost or inadvertently disclosed must be reported immediately

upon discovery. The relevant organisation’s data loss/incident response plan must be

engaged and the single point of contact for each party (para 7.10) must be informed.

Relevant line managers must also be informed.

17. In respect of PBNI, this should be done, where possible, via email in the first instance to the

Information Security Officer at infosec@pbni.gsi.gov.uk

Please ensure that you also information your line manager of the situation.

18 In respect to Probation Service, Ireland, this should be done, where possible, via email in

the first instance to the Data Protection Officer at: foi@probation.ie

Please ensure that the Director of Operations is made aware of the situation through your

line manager.

19. Each organisation must ensure that it is familiar with the relevant Information/Data

Commissioner’s Guidance on data security breach management and its guidance/codes on

how and when to notify the respective Information Commissioner’s Office/Data Protection

Commissioner in the event of a breach.